Re: IIS CRL Checking is really driving me crazy!!
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 10/29/03
- Next message: Ruslan: "Problem in registering custom CSP"
- Previous message: David Cross [MS]: "Re: DC Can't Autoenroll But Replication Does Fine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Oct 2003 05:22:34 -0800
whatis the CRL publication interval? the previous CRL issued by the CA must
be expired before any new CRLs will be loaded by the IIS server (CryptoAPI).
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Ohaya" <ohaya@cox.net> wrote in message news:3F6D2FEE.31D91AF3@cox.net... > Hi, > > As some of you may recall, I've been working with IIS for awhile, > working with SSL and client certs/authentication in various > configurations. It seems like with each different configuration this > all, and especially CRL checking works differently, and the latest > configuration that I'm working with has absolutely got me totally > befuddled. The scenario seems so simple that I keep getting the feeling > that I'm missing something here, but have just not been able to make > this work. > > The previous configuration I've worked with had a Windows 2003 server, > setup with Active Directory AND Certificate Server. I also put together > another configuration with Win2K3 without Active Directory AND with > Certificate Server setup as a Standalone Certificate Server. > > In this latest configuration I installed a set of 3 machines: > > - MachineA: Windows Server 2003 configured as domain controller, with > Active Directory and IIS installed. > > - MachineB: Windows Server 2003 - not on the MachineA domain, but on a > workgroup (MISNET), and with Certificate Server (and IIS) installed. > Certificate Server is configured as a Standalone CA. > > - MachineC: Windows 2000 Pro - this is my client machine > > > > Using Certificate Server on MachineB, I've been able to create/issue > server and client certificates, which I've installed on MachineA and > MachineC, respectively, and I have SSL and client authentication > working, > > BUT.... > > No matter what I've done so far, I cannot get the CRL/revocation working > at all. > > I've revoked a test client certificate on the Certificate Server on > MachineB, and published the CRL, but the client cert still seems to be > working. > > I've rebooted MachineA, start/stopped IIS, etc., and still the client > cert works. > > I've confirmed that I can access the .CRL file from MachineA, so I am > completely puzzled. > > This seems like a pretty basic configuration, but it seems like IIS is > not even trying to retrieve the CRL from MachineB. I've actually run a > small HTTP server on MachineB that I wrote awhile ago to monitor > incoming requests for the CRL, and I never see any connects into that. > > Does anyone have any suggestions???? What am I missing? > > Or, is there some reason why the configuration that I have here not > workable? > > Thanks, > Jim
- Next message: Ruslan: "Problem in registering custom CSP"
- Previous message: David Cross [MS]: "Re: DC Can't Autoenroll But Replication Does Fine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
